Woolworths still 'reluctant' to list all companies that handle its data

Woolworths says there are security risks - and no benefits to be had - from disclosing the names of all technology and data partners and suppliers that process or otherwise handle customer data.

The grocery retailer made the comments in a submission to the Attorney-General’s review of the Privacy Act, which kicked off at the end of October last year.

The review, among other topics, examines how consent to use consumer data is collected, and what kind of data uses should be subject to more explicit permissions or settings.

The issue of where consumer data is sent for post-processing or compliance purposes is a vexed one, and has been since rules requiring such disclosures in privacy policies went live back in early 2014.

At the time, there was some backlash over a list of the geographic locations where data was sent.

Seven years later, Woolworths believes there is “no demonstrable consumer benefit” in being even more granular, by disclosing who receives the data, not just where it might go.

Additionally, the retailer has warned that disclosing recipients or processors of consumer data could cause security issues, presumably by creating a shortlist of potential targets.

“In terms of the extent of information provided to customers on data use and sharing, it is worth noting that there are data security, cyber security and fraud considerations that mean businesses should be reluctant to disclose a full list of partners with whom they might need to share personal information,” Woolworths said in its Privacy Act review submission. [pdf]

“Further, large businesses work with many technology and data partners and suppliers, with changes over time, which makes continual updating onerous with no demonstrable consumer benefit.

“In most instances, consumers will be assisted by receiving information about the types of companies to which data may be provided, with illustrative examples provided where relevant.”

Woolworths already more or less does this in its existing privacy policy; part 7 assures that “all of our overseas sharing of personal information to be done in a way which requires observance of strict privacy and security standards, both during transit and at the overseas destination.”

It then goes on to list a series of generic disclosure use cases, such as to “a trusted service provider who is in the business of providing data storage and processing services” or to “a reinsurer of some of our insurance offerings [that] uses computer systems in Switzerland and the United States to store insurance-related personal information”.

It’s worth noting that Woolworths’ argument broadly mirrors an earlier position it laid out with respect to how consent and disclosure is managed around its loyalty business.

Back then - late 2019 - it similarly argued that disclosures should be balanced against customer interest - which again, it did not believe would be served with an exhaustive list of processors and other recipients of consumer data.

“For example, Woolworths considers that informing consumers of the category of recipients with whom it shares data (for example, technology companies which support our business operations such as Salesforce), along with naming partners who play a particularly substantial or significant role in a service or are likely to be of interest to consumers (for example, Qantas), will be more effective than an exhaustive list of company names which consumers are unlikely to recognise or derive benefit from, which may change on an ongoing basis, and which may create challenges with respect to cybersecurity,” it said at the time.

Broadly, in its latest submission, Woolworths asked for more time to consider other possible changes to the Privacy Act, including redefining “personal information” and the effort that would be required to give consumers a “right to be forgotten”; that is, to allow customers to request their deletion from Woolworths’ systems on request.